Techniques
Sample rules
Always Install Elevated Windows Installer
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
Detection logic
condition: 1 of selection_image_* and selection_user and not 1 of filter_*
filter_avast:
ParentImage|startswith:
- C:\Program Files\Avast Software\
- C:\Program Files (x86)\Avast Software\
filter_avira:
ParentImage|startswith: C:\ProgramData\Avira\
filter_google_update:
ParentImage|startswith:
- C:\Program Files\Google\Update\
- C:\Program Files (x86)\Google\Update\
filter_installer:
ParentImage: C:\Windows\System32\services.exe
filter_repair:
- CommandLine|endswith: \system32\msiexec.exe /V
- ParentCommandLine|endswith: \system32\msiexec.exe /V
filter_sophos:
ParentImage|startswith: C:\ProgramData\Sophos\
selection_image_1:
Image|contains|all:
- \Windows\Installer\
- msi
Image|endswith: tmp
selection_image_2:
Image|endswith: \msiexec.exe
IntegrityLevel:
- System
- S-1-16-16384
selection_user:
User|contains:
- AUTHORI
- AUTORI